3 Replies Latest reply on Aug 3, 2018 12:38 AM by hochstic

    VMSA-2018-0012.1 Issues - VMware Patches seems not working

    KTUCLA Novice

      Hi everybody,

       

      We have a cluster running 10 HPE Proliant DL380 G9 und VCenter 6.5. Vcenter Appliance is running the latest Version from VMware and also the ESXi Hosts are up to date running Version VMware ESXi, 6.5.0, 8935087.

       

      Cluster is running in EVC Mode in Intel® "Haswell" Generation because 5 of our hosts are running with Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz and the other five are running with Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz.

       

      All of these hosts have applied latest Bios und Microcode Update from HPE (Version 2.60). According to HPE this should fix CVE-2018-3639.

       

      According to VMware Knowledge Base we should find “Capability Found: cpuid.SSBD” in vmware.log of guest VMs after powering down and restarting them. But we don't have this. So it looks like the patch is not correctly applied to all servers in the cluster or something else is missing.

       

      On a Windows Guest VM running Get-SpeculationControlSettings results in:

       

      Speculation control settings for CVE-2017-5715 [branch target injection]

      For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

       

       

      Hardware support for branch target injection mitigation is present: True

      Windows OS support for branch target injection mitigation is present: True

      Windows OS support for branch target injection mitigation is enabled: False

      Windows OS support for branch target injection mitigation is disabled by system policy: True

      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

       

       

      Speculation control settings for CVE-2017-5754 [rogue data cache load]

       

       

      Hardware requires kernel VA shadowing: True

      Windows OS support for kernel VA shadow is present: True

      Windows OS support for kernel VA shadow is enabled: False

       

       

      Speculation control settings for CVE-2018-3639 [speculative store bypass]

       

       

      Hardware is vulnerable to speculative store bypass: True

      Hardware support for speculative store bypass mitigation is present: False

      Windows OS support for speculative store bypass mitigation is present: True

      Windows OS support for speculative store bypass mitigation is enabled system-wide: False

       

       

      Suggested actions

       

       

      * Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://supp

      ort.microsoft.com/help/4072698

       

       

       

       

      BTIHardwarePresent                  : True

      BTIWindowsSupportPresent            : True

      BTIWindowsSupportEnabled            : False

      BTIDisabledBySystemPolicy           : True

      BTIDisabledByNoHardwareSupport      : False

      KVAShadowRequired                   : True

      KVAShadowWindowsSupportPresent      : True

      KVAShadowWindowsSupportEnabled      : False

      KVAShadowPcidEnabled                : False

      SSBDWindowsSupportPresent           : True

      SSBDHardwareVulnerable              : True

      SSBDHardwarePresent                 : False

      SSBDWindowsSupportEnabledSystemWide : False

       

      Another HPE Proliant DL380 Proliant G9 running Windows native without VMware and with HPE Bios Version 2.60 brings the following result when running Get-SpeculationControlSettings:

       

       

      Speculation control settings for CVE-2017-5715 [branch target injection]

      For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

       

       

      Hardware support for branch target injection mitigation is present: True

      Windows OS support for branch target injection mitigation is present: True

      Windows OS support for branch target injection mitigation is enabled: False

      Windows OS support for branch target injection mitigation is disabled by system policy: True

      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

       

       

      Speculation control settings for CVE-2017-5754 [rogue data cache load]

       

       

      Hardware requires kernel VA shadowing: True

      Windows OS support for kernel VA shadow is present: True

      Windows OS support for kernel VA shadow is enabled: False

       

       

      Speculation control settings for CVE-2018-3639 [speculative store bypass]

       

       

      Hardware is vulnerable to speculative store bypass: True

      Hardware support for speculative store bypass mitigation is present: True

      Windows OS support for speculative store bypass mitigation is present: True

      Windows OS support for speculative store bypass mitigation is enabled system-wide: False

       

       

      Suggested actions

       

       

      * Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://supp

      ort.microsoft.com/help/4072698

       

       

       

       

      BTIHardwarePresent                  : True

      BTIWindowsSupportPresent            : True

      BTIWindowsSupportEnabled            : False

      BTIDisabledBySystemPolicy           : True

      BTIDisabledByNoHardwareSupport      : False

      KVAShadowRequired                   : True

      KVAShadowWindowsSupportPresent      : True

      KVAShadowWindowsSupportEnabled      : False

      KVAShadowPcidEnabled                : False

      SSBDWindowsSupportPresent           : True

      SSBDHardwareVulnerable              : True

      SSBDHardwarePresent                 : True

      SSBDWindowsSupportEnabledSystemWide : False

       

      So according to this one. The HPE Bios have the problem fixed but only VMware have something missing.

       

      does somebody have such issues? what can we do to get this fixed?

       

      Thank you for help,